Watch the bugs and don't get stung'or complacent
- By John McCormick
- Feb 21, 2003
New server software vulnerabilities pop up every day, but most are never exploited. That can lead to complacency on the part of Web site administrators.
Smart administrators keep up with a list compiled by the FBI and the SANS Institute of Bethesda, Md., at www.sans.org/top20
, showing regularly exploited vulnerabilities. But as the SANS site notes, 'Administrators reported that they had not corrected many of these flaws because they simply did not know which were most dangerous, and they were too busy to correct them all.'
Some help will come from the Homeland Security Department's free FedCIRC patching service, just now getting under way and tied to agency-supplied profiles of individual servers.
In the meantime, Microsoft Internet Information Services software and the open-source Apache HTTP Server are the most-often exploited platforms because they have the most installations.
The top 20 list shows that patches aren't being rigorously applied, because exploits can succeed only if administrators fail to configure firewalls properly or to install available patches.
Here's an example of how a cracker could use the information in the accompanying table: The Commerce Department's site, www.DOC.gov
, reports using Apache 1.3.27 with Red Hat Linux mod_ssl/2.8.12 and OpenSSL/0.9.6bmod_perl/1.26. OpenSSL is the open-source version of the Secure Sockets Layer protocol.
- The CERT Coordination Center's Advisory 2002-27, dated Sept. 14, 2002, said, 'Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier' are vulnerable to the Apache/mod_ssl worm, linux.slapper.worm and bugtrac.c worm.
- CERT Advisory 2002-23, dated July 30, 2002, listed multiple OpenSSL vulnerabilities prior to Version 0.9.6e, up to and including the second beta prerelease, 0.9.7.
Various Apache versions have 28 holes mentioned in the Common Vulnerabilities and Exposures lexicon, at cve.mitre.org, maintained by Mitre Corp. of Bedford, Mass., and on the SANS-FBI top 20 list.
As of last month, the latest version of Apache HTTP Server is 1.3.27. Some federal sites, notably USGS.gov, still report running Apache 1.3.12 and therefore are probably behind the curve in patching security holes.
The SANS-FBI list shows 25 known vulnerabilities in various versions of Microsoft IIS. As recently as last October, Microsoft released a cumulative patch, MS02-062, to fix new and existing security holes found in IIS 4.0, 5.0 and 5.1. Any server software not patched since October is vulnerable.
Some of these vulnerabilities permit denial-of-service events, while others let an attacker take over the server completely.